Lack of transparency makes risk, performance and compliance information hard to discover, collect and maintain. Within every organization, governance areas are conducting activities, each based on different assumptions with different standards, all of which contain a risk component.
While these are typically not thought of as risk activities, when the responsibilities of each governance area are compared to a risk based process – identifying & assessing, mitigating, and monitoring – you find that the activities within vendor management, business continuity, financial reporting compliance, etc. are actually exercises in risk management.
An example of risk intelligence that collected in these silos are the Business Impact Assessments (BIAs) and Vendor Assessments conducted by the Business Continuity and Vendor Management departments within your organization.
These activities often necessitate overlap, especially when BCP/DR is tasked with identifying the key vendors that must be utilized in a disaster recovery scenario. Both groups might take on the exercise in identifying vendor relationships to core business processes, with a vastly different set of assumptions, without ever leveraging the expertise of the other business area.
When risk activities (like Business Impact Assessments and vendor due diligence) are carried out on the same standards and assumptions and thought of as a common framework, they can be compared and utilized cross-functionally. Business Continuity Managers and Vendor Management will have a common language to use when identifying critical vendors to the disaster recovery process. Since these activities are already taking place anyway, no new work is added, the standardization in language has allowed both groups to be more efficient and utilize the expertise and insight of the other business silo.
Few organizations operate in this manner because functions track their data in their own spreadsheets with standards they’ve developed for their specific business silo. Using BCP software to know which vendors are considered critical makes vendor managers better at their job, and likewise in the opposite direction. It also decreases time spent on tactical activities, freeing these groups up to focus on the strategic elements of their profession that make them most effective.